Services Based Pentest Checklist

Symfony PHP

• Symfony Profiler Enabled

/app_dev.php
/app_dev.php/_profiler
/_profiler
/_profiler/latest
/_profiler/search
/_profiler/phpinfo
/_profiler/{token}
/_wdt/{token}
/app_example.php
/app_test.php
/index_dev.php
/config.php
/_configurator/
/_configurator/steps
/_configurator/step/{index}

---

Laravel

• Laravel Debug Mode / Telescope / Ignition / Horizon / Pulse

/.env
/_debugbar
/_debugbar/open
/_debugbar/clockwork/{id}
/telescope
/telescope/requests
/telescope/exceptions
/ignition/execute-solution
/ignition/update-options
/horizon
/horizon/api/*
/pulse

---

WordPress

• WordPress Debug / Config / XMLRPC / Users Enum

/wp-config.php
/wp-config.php~
/wp-config.php.bak
/wp-config.php.old
/wp-admin/install.php
/xmlrpc.php
/wp-json/wp/v2/users
/wp-json/wp/v2/users/{id}
/readme.html
/license.txt
/wp-includes/version.php

---

Django

• Django Debug Mode / Admin / Debug Toolbar

/.env
/admin
/admin/login
/debug
/__debug__
/static/debug_toolbar/
/djdt/
/djdt/debug_toolbar

---

Rails

• Rails Console / Info / DB / Pwned

/rails/info/properties
/rails/console
/rails/db
/pwned
/.env
/config/database.yml

---

Express.js / Node.js

• Debug Routes / Env / Config Exposure

/.env
/debug
/trace
/env
/config
/status
/version

---

Flask

• Flask Debug Mode / Console

/.env
/console
/debug
/flask.debug
/_debug

---

GraphQL

• Introspection Enabled / IDEs

/graphql
/graph
/graphiql
/graphql/console
/graphql.php
/graphiql.php
/api/graphql
/v1/graphql
/v1/explorer
/v1/graphiql
/altair
/playground
/graphql-playground
/graphiql/fiddle

---

Next.js

• Next.js Debug / Env / Dev Files

/.env
/.env.local
/.env.production
/_next/static/development
/api/debug
/.next/

---

Strapi

• Strapi Admin / Dashboard / Env

/admin
/dashboard
/.env
/strapi
/plugins/users-permissions

---

Spring Boot

• Actuator Endpoints / Jolokia / Hawtio

/actuator
/actuator/env
/actuator/beans
/actuator/mappings
/actuator/health
/actuator/info
/actuator/heapdump
/actuator/threaddump
/actuator/loggers
/actuator/conditions
/jolokia
/jolokia/exec
/hawtio
/api/hawtio

---

ASP.NET

• Debug / Trace / Config Exposure

/trace.axd
/elmah.axd
/Web.config
/web.config.bak
/web.config~
/App_config/connectionStrings.config

---

PHP General

• PHP Info / Config / Backups

/phpinfo.php
/info.php
/test.php
/php.ini
/php.ini~
/php.ini.bak
/server-status
/server-info

---

Apache

• Server Status / Info / Mod Pages

/server-status
/server-info
/mod_status
/.htaccess
/.htpasswd

---

Nginx

• Status / Stub Status

/nginx_status
/status
/stub_status

---

Tomcat

• Manager / Host Manager / Examples

/manager/html
/host-manager/html
/examples
/docs
/admin

---

Kibana

• Kibana Dashboard / Timelion / Console

/app/kibana
/app/timelion
/app/console
/api/console

---

Elasticsearch

• Cluster Info / Indices / Cat APIs

/_cat
/_cat/indices
/_cat/nodes
/_cluster/health
/_nodes/stats
/*/_search

---

MongoDB

• Mongo Express / Admin UI

/dbadmin
/mongo
/admin/mongo
/me

---

Redis

• Redis CLI / Web UI

/redis
/phpredisadmin
/redis-cli

---

Docker

• Docker API / Registry / Swarm

/_ping
/v1.41/info
/v1.41/containers/json
/v2/_catalog

---

General Misconfig Checks

• Environment Files

/.env
/.env.local
/.env.production
/.env.example
/config.php
/configuration.php
/settings.php

• Backup / Source Files

/*.bak
/*.old
/*.txt
/*~
/backup
/backups
/*.sql
/*.zip
/*.tar.gz

• Directory Listing / Uploads

/uploads/
/files/
/assets/
/static/
/media/
/user_uploads/

• Git / SVN Exposure

/.git/
/.git/HEAD
/.git/config
/.svn/entries
/.hg/

Postman API Platform

• Public Workspaces

https://www.postman.com/{companyName}/?tab=workspaces

Salesforce

• Salesforce Lightning Aura Components Enabled

- Test:
POST /aura HTTP/2
Host: {TARGET}.lightning.force.com
Content-Type: application/json

{}
------------------------
- FQDNs:
*.force.com
*.secure.force.com
*.live.siteforce.com
---------------------------
- Other Endpoints
/sfsites/aura
/s/sfsites/aura

Trello

• View Permissions on Trello Boards

site:trello.com "company"
https://trello.com/b/{BOARD_ID}

Figma

• View access misconfiguration

https://www.figma.com/file/{DesignID}/{DesignFileName}

Freshworks Freshservice

• Open User Registration

https://<companyName>.freshservice.com/support/signup

Slack

• No Admin Approval for Invitations

To check if you have permissions to invite a new member:

1. Sign in to your Slack Workspace

2. Open any channel

3. Click on Add people

4. A popup will open up, enter the user's email address

5. Finally, click Add

These reproduction steps prove that you're able to invite new members without approval from an administrator.

Atlassian Bitbucket

• Publicly Accessible Private Repositories

https://bitbucket.org/{WORKSPACE_ID}
site:bitbucket.org inurl:/workspace/projects

Atlassian Confluence

• Anonymous access to Remote API

## XML-RPC HTTP Request to retrieve a specific page for example:
POST /rpc/xmlrpc HTTP/1.1
Host: confluence.example.com
Content-Type: text/xml
...

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
 <methodName>confluence2.getPage</methodName>
 <params>
  <param>
   <value>
    <string>{SPACE_KEY}</string>
   </value>
  </param>
  <param>
   <value>
    <string>{PAGE_TITLE}</string>
   </value>
  </param>
 </params>
</methodCall>

--------------------------------
## Curl:
curl -X POST -H 'Content-Type: text/xml' -d '<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>confluence2.getPage</methodName><params><param><value><string>{SPACE_KEY}</string></value></param><param><value><string>{PAGE_TITLE}</string></value></param></params></methodCall>' http://confluence.example.com/rpc/xmlrpc

------------------------------------
## SOAP: /rpc/soap-axis/confluenceservice-v2

• Disabled XSRF Protection

In case XSRF Protection is turned off, bad actors could post comments on other user's behalf by just sending them a link to an attacker controlled site that replicates the POST request.

• User Email Visibility

There is no specific testing procedure for this misconfiguration. Email addresses are visible next to the user's name on posts for example.

• Misconfigured Spaces

Visit the following application route to check if anonymous users can view and read any information on Confluence Spaces:

https://<companyName>.atlassian.net/wiki/spaces

Atlassian Jira

• Open User Registration

You can cross-check if user registration is open for anyone by navigating to the following app route:

/secure/Signup!default.jspa

• Misconfigured Email Visibility

Open up any user's profile in your Jira instance as an anonymous user and verify that you can view the email address of the user.

• Open Service Desk registration

Navigate to the following app route and check if signups are enabled:

/servicedesk/customer/user/login

AWS S3

• Misconfigured List Permissions

aws s3 ls s3://{BUCKET_NAME} --no-sign-request

Cloudflare R2

• R2.DEV Enabled

You can make use of search syntaxis supported by several popular search engines like Google to enumerate R2 buckets belonging to your target company or organization:

site:.r2.dev "company"

Google Groups

• Misconfigured read permissions

site:groups.google.com "{companyName}"

Google Docs

• Misconfigured read permissions

https://docs.google.com/document/d/{documentId}/edit

Google Cloud Storage Bucket

• Misconfigured access controls

https://{companyName}.storage.googleapis.com/
https://storage.googleapis.com/{companyName}

Indexing can also be allowed, to cross-check, you can make use of search filters that search engines like Google provide:

site:storage.googleapis.com "{companyName}"

Google OAuth

• Unrestricted email domains

https://accounts.google.com/o/oauth2/v2/auth?
  response_type=code&
  client_id=1234.apps.googleusercontent.com&
  ...
  hd=company.com

--------------------------------
Change it to example.com:
--------------------------------

https://accounts.google.com/o/oauth2/v2/auth?
  response_type=code&
  client_id=1234.apps.googleusercontent.com&
  ...
  hd=example.com

Jenkins

• Open Signups

- Enumerate jenkist subdomains
jenkist.domain.com

- Check those endpoints
/signup
/jenkins/signup

• Public Groovy Script Console

- Check if Groovy Script Console is publicly accessible:

/script

---------------------------------
- Test:

curl -s 'https://jenkins.{HOST}/script' -X 'POST' --data 'script={SCRIPT}'

or:

curl -s 'https://jenkins.{HOST}/scriptText' -X 'POST' --data 'script={SCRIPT}'

GitLab

• Gitlab Private Source Code Snippets Exposed

/explore/snippets

Drupal

- Brute Force IDs
/node/{ID}

Automation

Misconfig Mapper Docs | Intigriti - Hack Hubbugology.intigriti.io